Endpoint
2/18/2016
01:00 PM
Adam Shostack
Adam Shostack
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Security Lessons From My Car Mechanic

What an unlocked oil pan taught me about me about the power of two-way communication between security pros and the organizations they serve.

I was in the shop the other day because my car was making strange noises, and the mechanic told me that the oil pan had come unlocked. It was going to be an easy fix, once they removed the engine to get at the clamp that needed replacing.

When I tried to get an understanding of how severe the issue was, he told me that it could bounce around and break other bits of engine. I think he thought I was some sort of drooling idiot, and thought about taking away my keys. He probably also looked down his nose a bit because I was behind on my oil change. (It’s probably a good thing that oil changes are less enforced than password changes.)

Four hours and more money than I care to count later, I came to a realization. I had no idea what any of that meant. More importantly, I had no idea if I was being taken for a ride. But far more significantly, I realized that my conversation with the car mechanic was typical of how we security professional sound to the people who come to us with their problems.

(Image Source: Pixabay)
(Image Source: Pixabay)

No, actually, that’s a lie: We sound far, far, less understandable. On a good day: “There was a drive-by download from a malware site and then some pass the hash…” And on a bad one: “There’s a highly critical XSRF vuln in the WAF and we decided to take your site offline immediately while we patch.”

Let me start by ranting about the term “drive by downloads.” Are these exploits? If so, why don’t we simply talk about “browser vulnerabilities” and the exploit kits that select a payload that works on your browser? If so, maybe we should banish the term “drive by download” and say “browser vulnerabilities” and -- more importantly -- the fix is to keep your browser up to date? Similarly, “pass the hash” has come to mean a set of credential theft attacks, some of which no longer even involve hashes.

The second sentence is hard to understand for a different reason. First, it is acronym-heavy. But more important, the judgment calls are overwhelming. First, seriously, “highly critical?” I don’t even know what that is supposed to mean.

No, I do: It’s all about who comes up with these schemes. The answer, of course, is product managers trying to make their product’s report seem more serious. But no one is really served by a scale that starts from “very critical” and goes to “extremely critical.” Reality includes moderate and low severity findings. This problem has gotten so bad that there are now companies whose entire business advantage is providing a better scale. 

Or how about the statement: “We decided to take your site offline immediately.” Really? Did you think a little notification might be a good idea, first? Let me put you in touch with our marketing department about the promotion that we are running.

But I digress. What’s important here is that I worry when talking to car mechanics, and, similarly, those seeking help from us worry in the same way.

The car mechanic has studied and developed a set of skills. He cares deeply about the problem in front of him, and wants my car to run safely and efficiently. He knows that a bad set of brakes, a failure in the steering, or a host of other issues could literally kill me or others. There’s an analogy here. Like my mechanic, security professionals have worked hard to develop a set of skills. We tend to care deeply about the problems. We want systems to run safely (and sometimes we even care about efficiency.)

Then, someone comes in for what they think is a minor issue, feeling virtuous about trying to get ahead of a problem, and they leave wondering how the explosion of issues that they “must” fix came at them.

So what’s the takeaway? It’s not simply more clear communication, although that’s a big help.  It’s also about understanding people’s budget, in terms of time, energy, or competing work. It’s about understanding what their competing priorities are. Perhaps my mechanic can understand that my pending tax bill makes it hard to fix something right now, and can advise that it needs fixing on some other time frame. 

That understanding needs to be a two-way communication, and not just between me and my mechanic, but between security professionals and the organizations they serve.

Related content:

Security Lessons From My Doctor

 

Interop 2016 Las VegasFind out more about security threats and strategies  at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Adam is an entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently building his fifth startup, focused on improving security effectiveness, and mentors startups as a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/22/2016 | 8:15:27 PM
Re: Don't know what kind of car you drive
Further compounding the issue is the lack of agreement on what some of the acronyms and other terminology should be.  (Is it XSRF or CSRF?  Depends whom you ask.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/22/2016 | 8:13:05 PM
oil change
If it makes you feel any better, mechanics know that the "3,000" miles or "5,000" miles recommended for oil change intervals is largely hooey.  ;)
chofijeff1
50%
50%
chofijeff1,
User Rank: Apprentice
2/22/2016 | 9:08:27 AM
Re: Don't know what kind of car you drive
Adam,

Thanks for a great article and analogy. I'm sharing it with my ITSEC department. I am very strong on explainng the TLA's and FLA's and have made it my mission in life to check and make sure everyone understands the Three Letter Acronyms and Four Letter Acronyms and even more importantly what they mean and what we are discussing. I get a lot of respect and appreciation for that.

On a personal note, why an engine had to come out for a pump, I don't know, and I don't know what you drive, but pulling an engine out of any car and replacing an oil pump can't be cheap and I'm sorry that happened to you. It's pretty unusual. I'm into classic cars as a hobby. Be safe and thanks again for a great article.

Geoff
Hallelujah
50%
50%
Hallelujah,
User Rank: Apprentice
2/19/2016 | 1:03:20 PM
Re: Don't know what kind of car you drive
I bet your mechanic told you the oil pump, not the pan, was the problem. The pan bolts on to the bottom of the engine; the pump is inside. This kind of reinforces your point about being precise and understandable in the use of terminology.
adamshostack
50%
50%
adamshostack,
User Rank: Apprentice
2/19/2016 | 11:46:59 AM
Re: Don't know what kind of car you drive
Thanks Randy!  True story!  And to extend the idea a bit: how do I go about finding a new mechanic?  It takes a lot of time and energy, and at least my car runs welll after he drains my wallet. 
RandyA007
50%
50%
RandyA007,
User Rank: Apprentice
2/19/2016 | 9:33:48 AM
Don't know what kind of car you drive
-but if your story is true, it may be time to get another car mechanic. But the analogy is right on target.

"Eschew Obfuscation"
scottw50
50%
50%
scottw50,
User Rank: Apprentice
2/19/2016 | 9:23:46 AM
Great Article
Appreciate your approach and understanding of how the "user" sees security and tech.  Your allegory is excellent.  Anything you can do to simplfy and clarify security exchanges between tech and client is appreciated.  I'm no dummy, but I left business eight years ago and keeping up is difficult.  Thanks for a great article.
Charlie Babcock
50%
50%
Charlie Babcock,
User Rank: Ninja
2/18/2016 | 3:59:52 PM
From oil pan to buffer overflow
Adrian makes a nice, down to earth analogy between car repair and system repair, and how each is preceived by the customer.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.